Threat advisories

Top Middle East Cyber Threats – December 17th, 2024   

Dec-2024 7 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

Researchers Expose Fraud Campaign Exploiting UAE National Day Festivities

Researchers have identified a sophisticated fraudulent campaign targeting consumers in the UAE. Cybercriminals are impersonating a Dubai authority to request payments for fictitious fines, including traffic tickets and license renewals. The campaign utilizes various social engineering techniques, such as phishing, smishing, and vishing. Taking advantage of the UAE’s festive period around National Day (December 2), the attackers have caused some financial disruptions and highlighted vulnerabilities among residents.

Authorities have issued public guidance, emphasizing that official institutions never request sensitive financial information via phone or unofficial communication channels.

Key Findings

Fraudulent Campaign Details:

Methods Used: Phishing emails, smishing messages, and vishing phone calls impersonating a Dubai authority.

Tactics: Victims are threatened with severe consequences (e.g., license revocation, vehicle seizure) if payments are not made.

Exploitation Period: A surge in fraudulent activity was observed during the UAE’s National Day and holiday period.

Network Infrastructure Abuse:

Fraudulent emails and smishing messages were sent through compromised domains from Albania (.al) and Oman (.om).

Evidence of malicious domain registrations through Chinese registrars (e.g., “59.cn”) and Singapore-based companies (e.g., Gname.com).

Fake notifications mimicking payment forms were used to harvest sensitive information.

Smishing Triad:

Domains and infrastructure were linked to a group offering fraud toolkits via Telegram.

This campaign highlights the urgent need for continuous vigilance, particularly during periods of heightened cybercriminal activity. By adopting a proactive security approach and raising public awareness, UAE residents can mitigate the risks posed by such fraudulent schemes.

Recommendations

Verify communications and avoid trusting unknown calls, messages, or emails.

Do not click or open links, files, or attachments from untrusted or unknown sources.

Verify payment requests directly through official channels.

Do not share sensitive details such as banking credentials or credit card information over the phone or through unverified sources.

Configure email servers to block suspicious attachments and links.

Monitor your network for abnormal behavior and Indicators of Compromise (IoCs).

Educate employees on detecting and reporting phishing or suspicious emails.

Researchers Uncover IOCONTROL Malware Targeting IoT and OT Devices

Researchers have uncovered a custom-built malware, named IOCONTROL, targeting IoT and OT devices across Israel and the United States. IOCONTROL has been employed in compromising critical infrastructure, including fuel management systems, water treatment facilities, and other IoT/OT platforms from leading vendors.

This malware primarily targets civilian critical infrastructure, such as gas stations and water treatment facilities, particularly in the United States and Israel. The attacks are attributed to the CyberAv3ngers group. Key devices targeted include IP cameras, routers, PLCs, HMIs, firewalls, and fuel management systems from vendors such as Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and Gasboy.

IOCONTROL leverages advanced techniques, including the MQTT protocol for C2 traffic, DNS over HTTPS for infrastructure obfuscation, and custom-packed binaries to evade detection and maintain persistence. The malware’s capabilities include arbitrary code execution, self-deletion, port scanning, and lateral movement, making it a potent tool for disrupting operations.

The CyberAv3ngers’ campaigns reflect ongoing geopolitical tensions, using IOCONTROL to demonstrate access and create fear. Their operations have included the bricking of Orpak systems and defacing water treatment facilities’ PLC/HMI devices.

Recommendations:

Ensure all systems and firmware are patched and updated.

Isolate IoT/OT devices from critical network segments to prevent lateral movement in case of compromise.

Harden device configurations by disabling unused services, changing default credentials, and implementing access controls on IoT/OT devices.

Monitor the network for abnormal behavior and IoCs.

Ensure frequent backups are in place.

Microsoft Issues Updates for 72 CVEs, Including 16 Critical Vulnerabilities

Microsoft has released updates to address 71 CVEs affecting Windows, Windows Components, Office, Office Components, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager. Including third-party CVEs, the total count for this release reaches 72.

Among these patches, 16 are rated critical, 54 important, and one moderate in severity.

One of the CVEs has been publicly disclosed and is currently under active mitigation efforts.

CVE-2024-49138 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

This vulnerability is publicly known and under active attack. Microsoft has not provided details on where it was disclosed or the scope of the ongoing attacks. As an elevation of privilege (EoP) flaw, it is likely being exploited in combination with a code execution bug to compromise systems. Such tactics are frequently observed in ransomware attacks and targeted phishing campaigns.

CVE-2024-49112 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

With a CVSS score of 9.8, this is the most severe vulnerability addressed this month. It allows remote, unauthenticated attackers to exploit affected Domain Controllers by sending specially crafted LDAP calls. Successful exploitation results in code execution at the level of the LDAP service, which has elevated privileges but not SYSTEM-level access.

CVE-2024-49117 – Windows Hyper-V Remote Code Execution Vulnerability

This critical vulnerability enables an attacker on a guest VM to execute code on the underlying host OS, potentially facilitating cross-VM attacks. Exploitation requires basic authentication, but the potential impact on virtualization environments makes this a significant risk.

Recommendations

Ensure all systems are promptly patched and updated to mitigate these vulnerabilities.

Cisco Releases Update to Address Critical NX-OS Vulnerability

Cisco has issued a security update to address a vulnerability in Cisco NX-OS Software that could allow an unauthenticated attacker with physical access to an affected device, or an authenticated local attacker with administrative credentials, to bypass NX-OS image signature verification.

The vulnerability arises due to insecure bootloader settings. Exploiting this flaw involves executing a series of bootloader commands, which, if successful, could enable the attacker to bypass the NX-OS image signature verification process and load unverified software onto the device.

Affected Products:
This vulnerability impacts the following Cisco products running a release of Cisco NX-OS Software with a vulnerable BIOS version, regardless of device configuration:

MDS 9000 Series Multilayer Switches

Nexus 3000 Series Switches

Nexus 7000 Series Switches

Nexus 9000 Series Fabric Switches (in ACI mode)

Nexus 9000 Series Switches (in standalone NX-OS mode)

UCS 6400 Series Fabric Interconnects

UCS 6500 Series Fabric Interconnects

Mitigation:
Cisco has released software updates to resolve this issue. However, there are no available workarounds to address this vulnerability. As of now, Cisco has not observed any public announcements or malicious exploitation of this vulnerability.

Recommendations

Ensure all affected systems are promptly patched and updated to mitigate the risks associated with this vulnerability.

Splunk Releases Security Update to Fix Critical RCE Vulnerability and Other Issues

Splunk has published a security update to address multiple vulnerabilities in third-party packages, Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway versions. Out of the seven security updates released today, two are classified as high, three as medium, one as low, and one as informational in severity.

CVE-2024-53247 – Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway App

In Splunk Enterprise versions prior to 9.3.2, 9.2.4, and 9.1.7, as well as versions below 3.2.461 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user without “admin” or “power” roles could exploit this vulnerability to perform Remote Code Execution (RCE).

This RCE is possible due to unsafe deserialization of data stemming from the insecure use of the jsonpickle Python library.

Splunk has released fixes for all affected versions. It is highly recommended to upgrade vulnerable systems to the latest patched versions.

Recommendations

Ensure all systems are patched and updated to mitigate potential risks.

Tenable Addresses Multiple PHP Vulnerabilities in Security Center Update

Tenable has published a security update addressing multiple vulnerabilities in Security Center 6.5.0 and earlier versions. These vulnerabilities exist in the PHP version used in Security Center. To resolve these issues, Tenable upgraded the third-party component to PHP version 8.2.26 and released a new version of Security Center (6.5.1).

CVE-2024-8932

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14, uncontrolled long string inputs to the ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVE-2024-11236

CVE-2024-11233

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14, an error in the convert.quoted-printable-decode filter can cause certain data to lead to a buffer overread by one byte. This can, in certain circumstances, result in crashes or disclose content from other memory areas.

Recommendations: